From Fedora Project Wiki

< Changes

Revision as of 19:28, 22 February 2023 by Bcotton (talk | contribs) (FESCo has dropped this Change. It may be resubmitted when the owner is ready to move forward. https://meetbot.fedoraproject.org/fedora-meeting/2023-02-21/fesco.2023-02-21-17.00.log.html)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Drop NIS(+) support from PAM

Summary

This change is about dropping user-authentication using NIS(+) from PAM.


Owner


Current status

Detailed Description

NIS(+) was introduced by Sun/Oracle to easily share files and system users between UNIX-alike systems within the same network, and has been around for some decades. Its simplicity though opens a variety of possible security issues, like not being able the verify whether the shared information is actually correct and/or trustworthy. That said, and with several more secure options (LDAP, Kerberos, Samba, etc.) to achieve the same goal, we should at least remove support for NIS for user authentication.


Feedback

There was some discussion on the fedora-devel mailing-list. Some people are reluctant about the removal of NIS(+) support from PAM, while most are okay with it as there are more secure alternatives (LDAP, FreeIPA, etc.) available.


Benefit to Fedora

With this change we start directing our users and developers to move away from NIS(+) to secure alternatives like LDAP and/or FreeIPA.


Scope

  • Proposal owners:
    • Adapt the pam spec file to build without support for NIS(+).
    • Communicate the removal of the PAM configuration for user-authentication using NIS with the authselect maintainers; also offer assistance to implement the needed changes.
  • Other developers:
    • Apply the pull-request to the authselect package.
    • Test this change.
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives: N/A


Upgrade/compatibility impact

Users that were relying on support for NIS(+) will need to move to secure alternatives like LDAP and/or FreeIPA.


How To Test

There is no need to test, as when configure switch is removed, support is dropped.


User Experience

For some users this change may be a bit disruptive and it may require some learning curve for switching to alternative solutions.


Dependencies

  • The authselect package needs to be updated to drop its PAM configuration for user-authentication using NIS.
  • Apart from that there are actually no rpms, that directly depend on the change of the functionality of the affected PAM module.


Contingency Plan

  • Contingency mechanism: Revert the changes made to the affected packages and rebuild them.
  • Contingency deadline: At beta freeze. Documentation and/or migration tools must be prominently available, per FESCo.
  • Blocks release? Yes.

Documentation

The documentation about sharing system users and files over NIS should be dropped, if there even is any.


Release Notes

Support for NIS(+) has been dropped from PAM. Users, who are currently using NIS(+) to share UNIX users / groups within a network, should migrate their setups to use LDAP or some other secure service providing comparable functionalities before updating to Fedora 36.